Bug 1216564 - Missing directory /usr/share/ca-certificates for charon
Summary: Missing directory /usr/share/ca-certificates for charon
Status: RESOLVED WONTFIX
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Network (show other bugs)
Version: Leap 15.5
Hardware: x86-64 openSUSE Leap 15.5
: P5 - None : Major (vote)
Target Milestone: ---
Assignee: Mohd Saquib
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-25 13:23 UTC by Rodrigo Gonçalves
Modified: 2024-07-04 12:27 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
mohd.saquib: needinfo? (keitarobr)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rodrigo Gonçalves 2023-10-25 13:23:14 UTC 
charon-nm is looking for certificates at /usr/share-ca-certificates, but this directory does not exist. 

Thus it can't validate a valid certificate for an IPSec/IKEv2 VPN server (does not find the GlobalSign root certificates).

I solved the issue issuing the following command:

sudo ln -s /var/lib/ca-certificates/pem /usr/share/ca-certificates
Comment 1 Chenzi Cao 2023-11-29 03:45:38 UTC 
Hi Bjørn, would you please help to take a look at this issue? I'm not sure whether it is correct to assign it to you, please feel free to reassign whenever necessary, thanks.
Comment 2 Bjørn Lie 2023-11-29 11:12:50 UTC 
(In reply to Chenzi Cao from comment #1)
> Hi Bjørn, would you please help to take a look at this issue? I'm not sure
> whether it is correct to assign it to you, please feel free to reassign
> whenever necessary, thanks.

Fairly sure this comes from Strongswan-nm

-> moving to Strongswan bugowner
Comment 3 Mohd Saquib 2023-12-13 07:39:51 UTC 
Hi,
Could you please provide a reproducer for this? I will try to reproduce it locally
Comment 4 Mohd Saquib 2024-01-04 08:10:12 UTC 
ping
Comment 5 Rodrigo Gonçalves 2024-01-04 11:01:24 UTC 
Hi, since this is a VPN server we can't provide a test login due to our policies.

I'm going to setup a test server using a similar certificate for testing purposes in the next two weeks. Is there a way to send the information privately?
Comment 6 Mohd Saquib 2024-01-04 11:14:57 UTC 
You can email it to me at my work email, I suppose
Comment 7 Mohd Saquib 2024-01-30 08:50:30 UTC 
Hi,
Any progress on recreating the setup?
Comment 8 Mohd Saquib 2024-02-19 09:50:23 UTC 
I'm assuming this bug is not an issue anymore? Please let me know if it's still the case. I'll go ahead and close it if there's no response in a few days time.
Comment 9 Rodrigo Gonçalves 2024-02-19 17:56:09 UTC 
(In reply to Mohd Saquib from comment #8)
> I'm assuming this bug is not an issue anymore? Please let me know if it's
> still the case. I'll go ahead and close it if there's no response in a few
> days time.

Dear Modh Saquib,

sorry for the late response. I couldn't allocate the resources for a test server. 

Thus you can close this bug if you can't reproduce and we will keep instructing our users to do the manual fix we mentioned.
Comment 10 Mohd Saquib 2024-02-20 06:52:32 UTC 
Thanks.. I'll close it for now.
Comment 11 B Nikolic 2024-07-04 12:27:10 UTC 
I came across this bug using MircoOS. 

The issue is that strongswan  has a configure option --with-nm-ca-dir (see documentation https://docs.strongswan.org/docs/5.9/features/networkManager.html) which, if not otherwise set, defaults to /usr/share-ca-certificates which seems not to be the right place for SUSE.

Should be fixable by adding 

--with-nm-ca-dir=/var/lib/ca-certificates/pem

to the configure section of strongswan.spec , e.g. somewhere around line 306 of  https://build.opensuse.org/projects/openSUSE:Leap:15.5:Update/packages/strongswan/files/strongswan.spec?expand=1. 

I hope that helps, I don't have a test server or anything to try this but analysis of source code suggests this is the root cause.